ZDNet UK / News and Analysis / Workspace IT / Desktop Apps

Critical flaw opens Windows to rogue Java

By John McCormick, TechRepublic, 24 December, 2002 23:52

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Microsoft, Java, Bulletin, Virtual machine, Security

ANALYSIS
One of the first security bulletins to rate Microsoft's new, tougher Critical criteria is MS02-069, which includes notice of a COM Object Access Vulnerability that may let attackers run untrusted Java applets and therefore take over a Windows system remotely and perform almost any action and read or modify any file. The bulletin also covers seven other risks associated with the Microsoft Virtual Machine. Part of the new policy implemented by Microsoft is a dual bulletin system that also includes a less technical, user-oriented version of this bulletin, which will provide all the details needed by most users. Details The Microsoft Virtual Machine involved in these reported vulnerabilities is the engine used to run Java applets on all Windows systems and can be found on nearly all systems running Windows 98 or later. Some of the problems corrected by this patch are rated as Low threats, but the inclusion of one Critical and one Important threat, along with two Moderate threats, should make this a mandatory upgrade for many systems, with the notable exception of those that have reasonable protection as detailed below in the "Mitigating factors"; section. The Component Object Module Object Access Vulnerability is the most dangerous because it allows an attacker to bypass normal security procedures that should prevent untrusted Java applets from running. The part of this multifaceted fix that addresses the critical COM vulnerability is directed at closing the loophole so that the VM will run only trusted Java applets, whether the user encounters them by visiting a Web site or from opening an HTML e-mail message. Another vulnerability, rated Important by Microsoft, is the CODEBASE Spoofing Vulnerability. Exploiting this vulnerability would allow an attacker to read, but not alter, files on the vulnerable system. Applicability
Virtually all installed versions of the Microsoft Virtual Machine are covered by this bulletin, but specifically those with build versions up to and including build 5.0.3805. To confirm that your system has VM installed, open the Command Prompt and run the command jview. This should bring up a help screen and list the current version number, if you have the Microsoft VM installed. Risk level - critical The Critical COM Object Access Vulnerability could allow an attacker's Java applet, which came either from a malicious Web site or an HTML e-mail, to gain complete access to the data on the vulnerable system, including the content of cookies and other sensitive information. Other vulnerabilities addressed by the same patch pose a variety of threat levels but, since one patch fixes all, you should refer to the Microsoft bulletin if you need more details after reading about the mitigating factors. Mitigating factors Microsoft reports that Web-based COM Object Access Vulnerability attacks would be blocked if Java applets are disabled in the IE security zone that covers the attacker's Web site. E-mail attacks would be blocked by Outlook Express 6 and Outlook 2002, which disable Java by default, and by Outlook 98 or 2000, either of which disables Java if the Outlook Email Security Update is installed. The CODEBASE vulnerability would also be mitigated by the same factors, as would both of the Moderate threats, and all but one of the Low threats. Fix See the security bulletin for instructions on how to upgrade various versions. If running jview shows that you already have a version later than 3809 installed, then you don't need to update. All these vulnerabilities are supposed to be corrected in that and later versions, and so can be fixed by upgrading to a new version of VM. All but one of these vulnerabilities are mitigated in some common configurations, and the one that isn't is a very low-level threat (Incomplete Java Object Instantiation Vulnerability); it would simply cause the VM to crash until restarted. As a result, many installations may not need this upgrade, but it's important to verify that the Outlook protections are in place for your systems before relying on the mitigating factors for protection. Final word I think this is a good example of the way Microsoft intends to use the new rating system. In this security bulletin, a single update to the Virtual Machine is grouped in with a variety of other fixes. However, the use of the Critical rating makes it easy to determine if you need to install the patch. As stated above, good security practices would probably block the attack vector on the one critical flaw, so there may not be a real need to apply this patch. But at least it's easy to identify this security bulletin as one that must be evaluated on a case-by-case basis.
For a weekly round-up of the enterprise IT news, sign up for the Enterpise newsletter. Tell us what you think in the Enterprise Mailroom.

Related stories

Patching up bad patches

Ten flawed products that derail productivity

Adobe relents on CS6 upgrade charges

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

2 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

2 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

3 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

4 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

5 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

5 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

6 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

6 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

6 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

7 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

7 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

7 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

10 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

11 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

11 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

13 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

14 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

15 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule
apexwm

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

23 hours ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility
txtrainguy

Replying to an old topic that I'm currently facing with my CEO (who is on a Mac). Our servers are primarily Windows Servers, office is about...

1 day ago by txtrainguy on Windows Server 2008 drops the ball for Mac compatibility

Latest in Desktop Apps

Ten flawed products that derail productivity

Adobe relents on CS6 upgrade charges

Featured white papers

Tech breakthroughs to watch in 2012

ZDNet UK

Tech breakthroughs to watch in 2012

From invisibility cloaks to virtual atom smashing, from Cern to Nasa, this ZDNet UK guide presents the discoveries to watch in... Read more

10 must-read silicon.com Cheat Sheets

silicon.com

10 must-read silicon.com Cheat Sheets

This exclusive e-book covers 10 of the most important issues facing business and technology professionals today, from cloud computing to... Read more

The virtual presenter's handbook

Citrix Online

The virtual presenter's handbook

Web seminars or webinars can be interactive and engaging, just like having every person in the same room, and this white paper outlines how they can benefit your... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault